Online passwords are insecure: study

Apr 03, 2012

Online passwords are so insecure that one per cent can be cracked within 10 guesses, according to the largest ever sample analysis.

The research was carried out by Gates Cambridge scholar Joseph Bonneau and will be presented at a security conference held under the auspices of the Institute of Electrical and Electronics Engineers in May.

Bonneau was given access to 70 million anonymous passwords through Yahoo!  the biggest sample to date  and, using statistical guessing metrics, trawled them for information, including demographic information and site usage characteristics.

He found that for all demographic groups password security was low, even where people had to register to pay by a debit or credit card. Proactive measures to prompt people to consider more secure passwords did not make any significant difference.

There was some variation, however. Older users tended to have stronger online passwords than their younger counterparts. German and Korean speakers also had passwords which were more difficult to crack, while Indonesian-speaking users passwords were the least secure.

Even people who had had their accounts hacked did not opt for passwords which were significantly more secure.

The main finding, however, was that passwords in general only contain between 10 and 20 bits of security against an online or offline attack.

Bonneau, whose research was featured in The Economist, concludes that there is no evidence that people, however motivated, will choose passwords that a capable attacker cannot crack. This may indicate an underlying problem with passwords that users arent willing or able to manage how difficult their passwords are to guess, he says.

(PhysOrg.com) -- A team of researchers has demonstrated how passwords in iPhones and iPads can be retrieved from a stolen or lost device in only six minutes, even if it is locked. The passwords can include ...

Recommended for you

A unanimous Supreme Court ruled Tuesday that federal courts can hear a dispute over Colorado's Internet tax law. One justice suggested it was time to reconsider the ban on state collection of sales taxes from companies outside ...

Hillary Rodham Clinton used a personal email account during her time as secretary of state, rather than a government-issued email address, potentially hampering efforts to archive official government documents ...

Even people with allegedly above average memories can't normally memorize a large string of "randomized" characters and numbers, then if you have to write down your password you run into problems: losing your password, if you can't remember, may mean you're locked out of your own account, or it may mean someone else gains access without you knowing.

then, if you have multiple sites you visit all the time, you get where you have to keep a file folder or a text file on your computer or off the computer, in case the computer breaks down, to keep track of your user names and passwords.

It's happened to me a couple times even on important sites, where I just flat out forgot both my user name and password, and I supposedly have an much above average memory....

And yeah, foreign languages tend to have much longer word forms in many cases as compared to English, so that's probably all the study is picking up on.

A good password doesn't have to be randomized. Example 1: $@#REW seems like a strong password? Wrong, it's only 6 characters long, can be cracked by brute force in a matter of minutes.Example2: IHave226bananasinmypockets. crack that.